Commit Graph

515 Commits

Author SHA1 Message Date
Dave Airlie
de19322d55 Merge remote branch 'korg/drm-core-next' into drm-next-stage
* korg/drm-core-next:
  drm/ttm: handle OOM in ttm_tt_swapout
  drm/radeon/kms/atom: fix shr/shl ops
  drm/kms: fix spelling of "CLOCK"
  drm/kms: fix fb_changed = true else statement
  drivers/gpu/drm/drm_fb_helper.c: don't use private implementation of atoi()
  drm: switch all GEM/KMS ioctls to unlocked ioctl status.
  Use drm_gem_object_[handle_]unreference_unlocked where possible
  drm: introduce drm_gem_object_[handle_]unreference_unlocked
2010-02-25 13:39:29 +10:00
Alex Deucher
6a8a2d702b drm/radeon/kms/atom: fix shr/shl ops
The whole attribute table is valid for
shr/shl ops.

Fixes fdo bug 26668

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-25 13:32:06 +10:00
Dave Airlie
635f1a3129 drm/radeon: bump the UMS driver version number to indicate rv740 fix
This lets UMS userspace know the rv740 fix is in. For KMS we can
consider the kernel release to be the v2.0.0 release so we don't need the
bump there.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-20 09:17:18 +10:00
Jerome Glisse
7d404c7b5f drm/radeon/kms: free fence IB if it wasn't emited at IB free time
If at IB free time fence wasn't emited that means the IB wasn't
scheduled because an error occured somewhere, thus we can free
then fence and mark the IB as free.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-20 07:35:18 +10:00
Alex Deucher
6a660f06e8 drm/radeon/rv740: fix backend setup
This patch fixes occlusion queries and rendering errors
on rv740 boards. Hardcoding the backend map is not an optimal
solution, but a better fix is being worked on.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-20 07:28:16 +10:00
Alex Deucher
d3932d6c47 drm/radeon/kms: fix shared ddc detection
Just compare the i2c id since the i2c structs
may be slighly different.

Fixes fdo bug 26616.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-20 07:28:06 +10:00
Alex Deucher
c86a903836 drm/radeon/kms/rs600: add connector quirk
rs600 board lists DVI port as HDMI.

Fixes fdo bug 26605

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-20 07:28:05 +10:00
Jerome Glisse
94429bb6c8 drm/radeon/kms: fix bo's fence association
Previous code did associate fence to bo before the fence was emited
and it also didn't lock protected access to ttm sync_obj member.
Both of this flaw leads to possible race between different code
path. This patch fix this by associating fence only once the fence
is emitted and properly lock protect access to sync_obj member of
ttm.

Fix:
https://bugs.freedesktop.org/show_bug.cgi?id=26438
and likely similar others bugs
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-18 15:07:04 +10:00
Jerome Glisse
91cb91becf drm/radeon/kms: fix indirect buffer management V2
There is 3 different distinct states for an indirect buffer (IB) :
  1- free with no fence
  2- free with a fence
  3- non free (fence doesn't matter)
Previous code mixed case 2 & 3 in a single one leading to possible
catastrophique failure. This patch rework the handling and properly
separate each case. So when you get ib we set the ib as non free and
fence status doesn't matter. Fence become active (ie has a meaning
for the ib code) once the ib is scheduled or free. This patch also
get rid of the alloc bitmap as it was overkill, we know go through
IB pool list like in a ring buffer as the oldest IB is the first
one the will be free.

Fix :
https://bugs.freedesktop.org/show_bug.cgi?id=26438
and likely other bugs.

V2 remove the scheduled list, it's useless now, fix free ib scanning

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-18 15:06:41 +10:00
Dave Airlie
01d4503968 drm/radeon/kms: use udelay for short delays
For usec delays use udelay instead of scheduling, this should
allow reclocking to happen faster. This also was the cause
of reported 33s delays at bootup on certain systems.

fixes: freedesktop.org bug 25506

Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-18 15:00:08 +10:00
Dave Airlie
e803e8b262 drm/radeon/kms: make sure retry count increases.
In testing I've never seen it go past 1 retry anyways but better
safe than sorry.

Reported by Droste on irc.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-15 15:24:48 +10:00
Matt Turner
ce36f00d59 drm/radeon/kms/atom: use get_unaligned_le32() for ctx->ps
Noticed on a DEC Alpha.

Start up into console mode caused 15 unaligned accesses, and starting X
caused another 48.

Signed-off-by: Matt Turner <mattst88@gmail.com>
CC: Jerome Glisse <jglisse@redhat.com>
CC: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-15 11:19:14 +10:00
Luca Barbieri
bc9025bdc4 Use drm_gem_object_[handle_]unreference_unlocked where possible
Mostly obvious simplifications.

The i915 pread/pwrite ioctls, intel_overlay_put_image and
nouveau_gem_new were incorrectly using the locked versions
without locking: this is also fixed in this patch.

Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 14:22:34 +10:00
Dave Airlie
0a4583eb98 Merge branch 'drm-radeon-linus' of ../drm-next
* 'drm-radeon-linus' of ../drm-next:
  drm/radeon/kms: retry auxch on 0x20 timeout value.
  drm/radeon: Skip dma copy test in benchmark if card doesn't have dma engine.
  drm/radeon/kms: fix screen clearing before fbcon.
  drm/radeon/kms: add quirk for VGA without DDC on rv730 XFX card.
  drm/radeon/kms: don't crash if no DDC bus on VGA/DVI connector.
  drm/radeon/kms: change Kconfig text to reflect the new option.
  drm/radeon/kms: suspend and resume audio stuff
2010-02-11 14:03:51 +10:00
Dave Airlie
648ac05c4f drm/radeon/kms: retry auxch on 0x20 timeout value.
ATOM appears to return 0x20 which seems to mean some sort of timeout.

retry the transaction up to 10 times before failing, this
makes DP->VGA convertor we bought work at least a bit more predictably.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 14:03:18 +10:00
Pauli Nieminen
c60a284cc4 drm/radeon: Skip dma copy test in benchmark if card doesn't have dma engine.
radeon_copy_dma is only available for r200 or newer cards.
Call to radeon_copy_dma would result to NULL pointer
dereference if benchmarking asic without dma engine.

Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 13:13:25 +10:00
Dave Airlie
6719fc663c drm/radeon/kms: fix screen clearing before fbcon.
This memset_io was added to debug something way back and got
left behind, memset the fb to black so the borders don't be all white.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 11:25:27 +10:00
Dave Airlie
efa8450f6c drm/radeon/kms: add quirk for VGA without DDC on rv730 XFX card.
Reported on irc by nirbheek.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-09 09:06:00 +10:00
Dave Airlie
4b9d2a2112 drm/radeon/kms: don't crash if no DDC bus on VGA/DVI connector.
This is strange - like really really strange, twilight zone of strange.
VGA ports have DDC buses, but sometimes for some reasons the BIOS
says we don't and we oops - AMD mentioned bios bugs so we'll have
to add quirks.

reported on irc by nirbheek and
https://bugzilla.redhat.com/show_bug.cgi?id=554323

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-09 08:54:42 +10:00
Dave Airlie
1ca137cdcd drm/radeon/kms: change Kconfig text to reflect the new option.
Ingo pointed out that we really don't give the user enough warning to make
a decision here. So revise the Kconfig text with a better warning.

Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-08 15:05:58 +10:00
Linus Torvalds
cbee4751f6 Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: fix r300 vram width calculations
  drm/radeon/kms: rs400/480 MC setup is different than r300.
  drm/radeon/kms: make initial state of load detect property correct.
  drm/radeon/kms: disable HDMI audio for now on rv710/rv730
  drm/radeon/kms: don't call suspend path before cleaning up GPU
  drivers/gpu/drm/radeon/radeon_combios.c: fix warning
  ati_pcigart: fix printk format warning
  drm/r100/kms: Emit cache flush to the end of command buffer. (v2)
  drm/radeon/kms: fix regression rendering issue on R6XX/R7XX
  drm/radeon/kms: move blit initialization after we disabled VGA
2010-02-05 07:24:01 -08:00
Rafał Miłecki
38fd2c6ff5 drm/radeon/kms: suspend and resume audio stuff
Fixes FDO bug #26214

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 15:26:19 +10:00
Dave Airlie
5ff5571767 drm/radeon/kms: fix r300 vram width calculations
This was incorrect according to the docs and the UMS driver does
it like this.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 14:00:03 +10:00
Dave Airlie
a17538f93c drm/radeon/kms: rs400/480 MC setup is different than r300.
Boot testing on my rs480 laptop found the MC idle never happened
on startup, a quick check with AMD found the idle bit is in a different
place on the rs4xx than r300.

Implement a new rs400 mc idle function to fix this.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 13:40:16 +10:00
Dave Airlie
624ab4f87e drm/radeon/kms: make initial state of load detect property correct.
this was incorrect on my rs480.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 12:03:00 +10:00
Dave Airlie
23fff28a9b drm/radeon/kms: disable HDMI audio for now on rv710/rv730
Support isn't correct yet and we are getting green tinges on the
displays.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:57:42 +10:00
Jerome Glisse
655efd3dc9 drm/radeon/kms: don't call suspend path before cleaning up GPU
In suspend path we unmap the GART table while in cleaning up
path we will unbind buffer and thus try to write to unmapped
GART leading to oops. In order to avoid this we don't call the
suspend path in cleanup path. Cleanup path is clever enough
to desactive GPU like the suspend path is doing, thus this was
redondant.

Tested on: RV370, R420, RV515, RV570, RV610, RV770 (all PCIE)

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:49:52 +10:00
Andrew Morton
94cf6434a1 drivers/gpu/drm/radeon/radeon_combios.c: fix warning
drivers/gpu/drm/radeon/radeon_combios.c: In function 'radeon_combios_get_lvds_info':
drivers/gpu/drm/radeon/radeon_combios.c:893: warning: comparison is always false due to limited range of data type

Cc: Dave Airlie <airlied@linux.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:47:14 +10:00
Pauli Nieminen
9e5b2af75a drm/r100/kms: Emit cache flush to the end of command buffer. (v2)
Cache flush is required in case CPU is accessing rendered data.

This fixes glean/readPixSanity test case and random rendering
errors in sauerbraten and warzone2100.

v2 Fix comment ordering in r100_fence_ring_emit and remove extra
   defines added in first version.

Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:45:10 +10:00
Jerome Glisse
062b389c87 drm/radeon/kms: fix regression rendering issue on R6XX/R7XX
It seems that some R6XX/R7XX silently ignore HDP flush when
programmed through ring, this patch addback an ioctl callback
to allow R6XX/R7XX hw to perform such flush through MMIO in
order to fix a regression. For more details see:

http://bugzilla.kernel.org/show_bug.cgi?id=15186

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:43:51 +10:00
Jerome Glisse
c38c7b64a2 drm/radeon/kms: move blit initialization after we disabled VGA
VGA might be overwritting VRAM and corrupt our blit shader leading
to corruption, it likely won't happen if you load fbcon right after
radeon. Thanks to Shawn Starr and Andre Maasikas for tracking down
this issue.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:43:09 +10:00
Linus Torvalds
9ce929078a Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: Fix oops after radeon_cs_parser_init() failure.
  drm/radeon/kms: move radeon KMS on/off switch out of staging.
  drm/radeon/kms: Bailout of blit if error happen & protect with mutex V3
  drm/vmwgfx: Don't send bad flags to the host
  drm/vmwgfx: Request SVGA version 2 and bail if not found
  drm/vmwgfx: Correctly detect 3D
  drm/ttm: remove unnecessary save_flags and ttm_flag_masked in ttm_bo_util.c
  drm/kms: Remove incorrect comment in struct drm_mode_modeinfo
  drm/ttm: remove padding from ttm_ref_object on 64bit builds
  drm/radeon/kms: release agp on error.
  drm/kms/radeon/agp: Move the check of the aper_size after drm_acp_acquire and drm_agp_info
  drm/kms/radeon/agp: Fix warning, format ‘%d’ expects type ‘int’, but argument 4 has type ‘size_t’
  drm/ttm: Avoid conflicting reserve_memtype during ttm_tt_set_page_caching.
  drm/kms/radeon: pick digitial encoders smarter. (v3)
  drm/radeon/kms: use active device to pick connector for encoder
  drm/radeon/kms: fix incorrect logic in DP vs eDP connector checking.
2010-02-01 10:46:49 -08:00
Michel Dänzer
17aafccab4 drm/radeon/kms: Fix oops after radeon_cs_parser_init() failure.
If radeon_cs_parser_init() fails, radeon_cs_ioctl() calls
radeon_cs_parser_fini() with the non-zero error value. The latter dereferenced
parser->ib which hasn't been initialized yet -> boom. Add a test for parser->ib
being non-NULL before dereferencing it.

Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 12:49:28 +10:00
Jerome Glisse
ff82f052d2 drm/radeon/kms: Bailout of blit if error happen & protect with mutex V3
If an error happen in r600_blit_prepare_copy report it rather
than WARNING and keeping execution. For instance if ib allocation
failed we did just warn about but then latter tried to access
NULL ib ptr causing oops. This patch also protect r600_copy_blit
with a mutex as otherwise one process might overwrite blit temporary
data with new one possibly leading to GPU lockup.

Should partialy or totaly fix:
https://bugzilla.redhat.com/show_bug.cgi?id=553279

V2 failing blit initialization is not fatal, fallback to memcpy when
this happen
V3 init blit before startup as we pin in startup, remove duplicate
code (this one was actualy tested unlike V2)

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:33:11 +10:00
Dave Airlie
4b866288be drm/radeon/kms: release agp on error.
if we get an error, release the AGP if we've acquired it already.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:22:10 +10:00
John Kacur
2dea2e29b9 drm/kms/radeon/agp: Move the check of the aper_size after drm_acp_acquire and drm_agp_info
First call drm_agp_acquire to check if agp has been acquired.
Second call drm_agp_info to fill in the info data struct, including aper_size.
Finally do the check to see if the aper_size makes sense.

Signed-off-by: John Kacur <jkacur@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:19:31 +10:00
John Kacur
cdb6e375c3 drm/kms/radeon/agp: Fix warning, format ‘%d’ expects type ‘int’, but argument 4 has type ‘size_t’
- Fix warning by using %zu instead of %d for size_t
- Fix spelling mistake, "to" should be "too".

Signed-off-by: John Kacur <jkacur@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:19:08 +10:00
Dave Airlie
f28cf33945 drm/kms/radeon: pick digitial encoders smarter. (v3)
booting a Lenovo W500 with LVDS + DP outputs showed up a TODO we had
on our list, to pick a correct digital encoder block. The LVTMA
encoder requires the second digital encoder, all others can use any
encoder at all.

This fixes the digital encoder selection logic to enable LVDS/DP combos
to work okay.

V2: fix silly addition of connector dig_block and cleanup the other
places in the code that pick the encoder.

V3: rename to dig_encoder and clean up further - also fix
the picking algorithm.

tested on Lenovo W500 + desktop 3650 cards.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:13:15 +10:00
Dave Airlie
43c33ed87d drm/radeon/kms: use active device to pick connector for encoder
On the W500 we have UNIPHY routed to both DVI and DP, this seems
to always pick the DVI connector which means link training fails.

Switch to using active device to pick the connector, this seems
like it should be safe from a code review, and it fixes things
a bit more here.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:12:26 +10:00
Dave Airlie
97b94ccb9a drm/radeon/kms: fix incorrect logic in DP vs eDP connector checking.
This makes displayport work again here.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:12:17 +10:00
Linus Torvalds
abefedd538 Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (95 commits)
  drm/radeon/kms: preface warning printk with driver name
  drm/radeon/kms: drop unnecessary printks.
  drm: fix regression in fb blank handling
  drm/radeon/kms: make hibernate work on IGPs
  drm/vmwgfx: Optimize memory footprint for DMA buffers.
  drm/ttm: Allow system memory as a busy placement.
  drm/ttm: Fix race condition in ttm_bo_delayed_delete (v3, final)
  drm/nv50: prevent switching off SOR when in use for DVI-over-DP
  drm/nv50: fail auxch transaction if reply count not what we expect
  drm/nouveau: fix failure path if userspace specifies no valid memtypes
  drm/nouveau: report LVDS as disconnected if lid closed
  drm/radeon/kms: fix legacy get_engine/memory clock
  drm/radeon/kms/atom: atom parser fixes
  drm/radeon/kms: clean up atombios pll code
  drm/radeon/kms: clean up pll struct
  drm/radeon/kms/atom: fix crtc lock ordering
  drm/radeon: r6xx/r7xx possible security issue, system ram access
  drm/radeon/kms: r600/r700 don't test ib if ib initialization fails
  drm/radeon/kms: Forbid creation of framebuffer with no valid GEM object
  drm/radeon/kms: r600 handle irq vector ring overflow
  ...
2010-01-25 18:59:47 -08:00
Dave Airlie
7087e16286 drm/radeon/kms: preface warning printk with driver name
This just adds a little more info to the warning for old -ati/mesa
userspaces.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:13:55 +10:00
Dave Airlie
f2ab3a13d2 drm/radeon/kms: drop unnecessary printks.
These printks aren't required anymore.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:13:12 +10:00
Dave Airlie
d796d8446f drm/radeon/kms: make hibernate work on IGPs
This is the least invasive fix without migrating the radeon driver
to pm_ops from what I can see. We just always migrate VRAM objects
on IGPs for now and we can fix it up later to migrate depending
on STR vs STD.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:04:42 +10:00
Alex Deucher
38678d3557 drm/radeon/kms: fix legacy get_engine/memory clock
Fix a bad shift in the post div.

Should fix fdo bug 26145

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:25:38 +10:00
Alex Deucher
947bfc8304 drm/radeon/kms/atom: atom parser fixes
Only reset the reg block on the initial execute
table call; nested calls require the reg block not be
reset on each call.  Also reset the fb window and
io mode.  This matches the upstream parser behavior.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:25:05 +10:00
Alex Deucher
4eaeca3351 drm/radeon/kms: clean up atombios pll code
- split pll adjust into a separate function
- use a union for SetPixelClock params

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:24:29 +10:00
Alex Deucher
fc10332b8a drm/radeon/kms: clean up pll struct
- add a new flag for fixed post div
- pull the pll flags into the struct

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:24:23 +10:00
Alex Deucher
a348c84d95 drm/radeon/kms/atom: fix crtc lock ordering
This makes crtc_prepare and crtc_commit match.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:23:38 +10:00
Jerome Glisse
c8c15ff1e9 drm/radeon: r6xx/r7xx possible security issue, system ram access
This patch workaround a possible security issue which can allow
user to abuse drm on r6xx/r7xx hw to access any system ram memory.
This patch doesn't break userspace, it detect "valid" old use of
CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
the address these registers are pointing to with the one of the
last color buffer. This workaround will work for old mesa &
xf86-video-ati and any old user which did use similar register
programming pattern as those (we expect that there is no others
user of those ioctl except possibly a malicious one). This patch
add a warning if it detects such usage, warning encourage people
to update their mesa & xf86-video-ati. New userspace will submit
proper relocation.

Fix for xf86-video-ati / mesa (this kernel patch is enough to
prevent abuse, fix for userspace are to set proper cs stream and
avoid kernel warning) :
http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f

Abusing this register to perform system ram memory is not easy,
here is outline on how it could be achieve. First attacker must
have access to the drm device and be able to submit command stream
throught cs ioctl. Then attacker must build a proper command stream
for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
overwrite the GPU GART which is in VRAM. To achieve so attacker
as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
to the GPU GART, then it has to find a way to write predictable
value into those buffer (with little cleverness i believe this
can be done but this is an hard task). Once attacker have such
program it can overwritte GPU GART to program GPU gart to point
anywhere in system memory. It then can reusse same method as he
used to reprogram GART to overwritte the system ram through the
GART mapping. In the process the attacker has to be carefull to
not overwritte any sensitive area of the GART table, like ring
or IB gart entry as it will more then likely lead to GPU lockup.
Bottom line is that i think it's very hard to use this flaw
to get system ram access but in theory one can achieve so.

Side note: I am not aware of anyone ever using the GPU as an
attack vector, nevertheless we take great care in the opensource
driver to try to detect and forbid malicious use of GPU. I don't
think the closed source driver are as cautious as we are.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21 08:49:32 +10:00